Librem Key, practical usage scenarios

TL;DR summary

Let’s share experiences and usage scenarios with the Librem Key, beyond loading GPG keys on it, validating Heads/PureBoot, and decrypting LUKS.

Preface

I ordered a Librem Key and got it pretty quickly (awesome), and although it’s quite a lot thicker than my old YubiKey I like it. Hopefully in the future we’ll see a USB-C variant…

So I received it and started reading https://docs.puri.sm/Librem_Key/Getting_Started/User_Manual.html

Already having plenty of GPG keys I tried to adapt the instructions to my use case, not realizing that “keytocard” would MOVE my keys to the Librem Key (from now on I will simply write Key with a capital K to differentiate from a gpg key with a lower case k) rather than copy them. No big deal, I have backups.

OK so great. I can put 3 keys (one for signing, one for encryption, one for authentication) on the Key.

Now on to the actual questions. What can I do, and how should I set up my environment(s) to use the Key properly? This question goes beyond the simple setup and adding GPG keys to the Key. Beyond using it with Heads and PureBoot and LUKS. I don’t have a Librem laptop, and in fact I’m using Fedora on my Mac Mini but distro-hopping. My main machines are still macOS.

What do I do with it??

GPG

So I can put 3 GPG keys on it, great. Are there recommendations about what can be done and how I use these keys? Up until now, each email address I own have had their own GPG keys. That won’t work with the Key however, since I can only store 1 key of each type. Can I somehow use the keys on the Key to unlock my other keys? Or will I be limited to only using the Key with one email acount?

Other uses - TOTP, HOTP, password management ???

On the technical specs, we can see the following:

• Key slots: Three key slots supporting RSA 2048-4096 bit and ECC 256-512 bit
• One-time password storage: 3x HOTP (RFC 4226), 15 x TOTP (RFC 6238)
• Integrated password manager: 16 entries
• Random number generator: 40 kbit/s true random number generator

How do I make use of the one time passwords, integrated password manager, and random number generator?

So this Key is a rebranded NitroKey. I went and downloaded the NitroKey app, only to find out that in both Fedora and macOS, the Librem Key is not recognized or detected. Great. I’ve seen some mentions about the macOS ccid driver being out of date, but that was for prior versions on of the OS. Currently my Mac has version 1.4.27, and the NitroKey apparently needs 1.4.21 or greater. Yet it’s still not detected by their app.

On Fedora it might be because the key is not recognized at all unless I’m root, which is a whole other issue… How would I get it detected by the user? This goes for the gpg utility as well, which doesn’t detect the card unless I’m root. Needless to say I don’t want to use the card with only root.

Perhaps PureOS handles that properly so I might have to check how it’s done there…

Conclusion

So essentially, the documentation is sparse and incomplete, it would be nice to get more info about it, and share experiences with other users on here.

If I had one more item in my wishlist, would be for the NitroKey and future Librem Keys to include U2F/Fido as well all in one package, like the Yubico provides… That and USB-C support.

Nope, it’s not. It is produced by NitroKey, but it is completely different model, made by them specifically for Purism. No wonder it won’t be detected by Nitrokey’s tools.

Ok, small but important distinction, thanks for clarifying.

On the other hand NitroKey support said there would be an update to their app (if they have relevant information already, https://github.com/Nitrokey/libnitrokey/issues/162) that would be able to detect the Purism Key, at the end of this month… Without that however, how would one take advantage of all the features of the Librem Key?

Follow-up, I can at least use the Key with a non-root user in Feodra now, after adding the line:

ATTR{idVendor}=="316d", ATTR{idProduct}=="4c4b", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", TAG+="uaccess"

To the existing /etc/udev/rules.d/41-nitrokey.rules file I obtained from the NitroKey forums, restarting systemd-udev with sysemctl and re-plugging the Key. So that’s progress!

Full contents of my 41-nitrokey.rules:

# Nitrokey U2F
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0664", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0"

SUBSYSTEM!="usb", GOTO="gnupg_rules_end"
ACTION!="add", GOTO="gnupg_rules_end"

# USB SmartCard Readers
## Crypto Stick 1.2
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4107", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", TAG+="uaccess"
## Nitrokey Pro
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4108", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", TAG+="uaccess"
## Nitrokey Storage
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4109", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", TAG+="uaccess"
## Nitrokey Start
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4211", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", TAG+="uaccess"
## Nitrokey HSM
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4230", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", TAG+="uaccess"
## Purism Key
ATTR{idVendor}=="316d", ATTR{idProduct}=="4c4b", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", TAG+="uaccess"

LABEL="gnupg_rules_end"


# Nitrokey Storage dev Entry
KERNEL=="sd?1", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4109", SYMLINK+="nitrospace"

I also had to add to my udev rules to get non-root users to see the key (Fedora).

I’ve exported the ssh compatible version of the public part of my Authentication subkey:

[selrahal@localhost ~]$ gpg2 --export-ssh-key <key-id>

I don’t allow password based authentication to my home server. Now with the librem key I can ssh from any host and I know the private key won’t leave my usb. I used to have to keep my private key on a normal usb, safer this way

This thread makes me sad

It asks a very important question about real world use of the ‘exciting, new, librem key’ and has no answers. I also have a librem key and a librem 15 laptop. While I know it is theoretically possible to have the key used to secure the boot process, files, partitions, and the login process there seems to be no accessible documentation. https://docs.puri.sm/Librem_Key.html is a nice start but does not mention those use cases. And even worse. no one posted on this thread pointing to said doc or missing information… sigh
I see random postings on the forums asking about some of this but again, nitro key is often mentioned and since librem key is not exactly the same as a nitro key it is very inaccessible.

Agree with the above, and as the original poster of this thread I’m saddened as well.

I essentially bought a Key with features advertised, that are not all enabled/usable/available.

I’m considering getting a well-supported NitroKey rather than a second Librem Key. I also got myself a YubiKey 5Ci which is nicely supported and uses USB-C, however much more proprietary.

This thread…asks a very important question about real world use of the ‘exciting, new, librem key’ and has [few] answers.

+1 I hope that more documentation for non-experts is on the way.

@patrixl Thank you for giving instructions on non-root access to the key. Your 41-nitrokey.rules file, copied into /etc/udev/rules folder, works in MX-linux (Debian-based, no systemd) This info could be included in the Getting_Started/User_Manual page.

I am very interested in the “Integrated password manager: 16 entries” How is it used?

Hello again
Use of the Librem Key is obvious to you experts, but not to me. I received a Key as a gift from my daughter, possibly in reprisal for having insisted she learn gpg. I don’t have a purism laptop or pureOS and have no prior experience with smart cards.

In the spirit of the OP,

Let’s share experiences and usage scenarios

This list of potential uses might help other noobs. I managed to get through #1. I hope people will contribute more information and corrections.

What can I do with a Librem Key?

1. Safely transport my gpg subkeys; encrypt, sign and decrypt messages on any computer which has gpg and scdaemon, by entering my pin.

   Preparation:
   install scdaemon, allow non-root access to the Key as described in post #4 above. Transfer gpg subkeys to the Key, as described in the user manual.

   Notes:
   I retained subkeys on my home computer so I can use gpg without the Key ( tar cvf gnupg.tar ~/.gnupg, then transfer subkeys, then tar xvf gnupg.tar). I hoped gpg would sign and decrypt via 6-digit pin when the Key is present, but it does not. I have to enter my full passphrase.

   Unfortunately, public keys other than my own E subkey cannot be stored on the Key and must be imported.

2. password manager
   This feature, if it exists, would make the Key ten times more useful for me. Purism, please provide documentation!

   Edit: the nitrokey password manager (“Store ordinary passwords securely in the Password Manager. Maximum 16 passwords”) requires the nitrokey app, but the app does not detect the Librem key

3. “…with the Librem Key I can ssh from any host and I know the private key won’t leave my usb.” (post #5)

4. decrypt a luks-encrypted disk at startup by entering a 6-digit pin (fallback to passphrase). (User manual)
   Requires script from puri.sm.

5. lock desktop when key is removed (User manual)
   Requires script from puri.sm.

6. detect tampered bios on purism laptops
   "In theory, anyone running PureOS on a TPM-enabled system should be able to make use of the Librem Key’s secure-boot functionality. " article

7. and 8. one-time passwords, random number generator
   Documentation?

Since my last post on this thread I have been using the librem key to encrypt all of my data on a usb stick and carrying it with me. In addition, I am using an online backup service (with encryption) to backup each time I make changes.

It’s working well but requires manual commands and sudo access ( kinda clunky). LUKS containers are not yet integrated with smart cards. I’m discussing this on the dm-crypt mailing list and there is potential for tighter integration once cryptsetup-2.4.0 RC0 is out.

I am documenting my experiences at https://sites.google.com/site/jtmoree/knowledge-base/smart-cards-and-linux. highlights:

• typing passwords are rare now

• smart card systems are flaky
• gnome integration with smart card is really flaky
• got rid of the gnome keyring password

Update to this topic. I am now using the Librem key with PIN instead of passwords on Kubuntu 21.10 for:

• decrypt root
• GUI login (sddm)
• GUI sudo (kde)
• cli sudo
• cli console login
• decrypt data on usb stick
  I don’t care for gnome but I might be curious enough to try it on ubuntu and document one day.

Password management would be the only thing missing but I can’t find documentation on that feature in either LIbrem Key or Nitro key docs. Also found that the key can only hold 16 passwords which is not enough.